Hi Tom,
AD integrated DNS can use signed DNS updates to stop exactly this sort of
thing. It's a sort of standardish way to do it, but I don't know whether
any other OS supports it. Historically, the various versions of Bind allow
only ip address restrictions on dynamic updates. At least one uni that I
know of specifically disallow dynamic updates to their root domain (Bind
hosted) for this reason, and put all DDNS clients in a delegated subzone.
O'Reilly's 'DNS for Windows 2000' describes the Win2K secure DNS update
mechanism rather more clearly than I can (it's based on cryptographically
signed DNS packets in some way) but I don't have it to hand. When Win2K
came out, there was no 'standard' way to do signed DNS updates. There's now
a framework called DNSSEC, designed to do exactly this sort of thing. It's
supported by Bind 9, and my understanding is that MS are looking at it for
inclusion in their product line at a later date - not sure whether anyone
on this list has more up to date info?
So to sum up, secure DNS update is do-able with AD integrated DNS, but your
legacy/Un**X clients might not be allowed to make updates If you use MS
DHCP you could use that to do the A record updates as well as the PTR. If
you use static addressing, you may end up making DNS updates manually, or
by some sort of script.
Paul
Barber Tom
<[EMAIL PROTECTED] To:
"'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
u> cc:
Sent by: Subject: [ActiveDir] Secure DNS
[EMAIL PROTECTED]
ivedir.org
05/06/2002 14:59
Please respond to
ActiveDir
Forgive me if this has been discussed before; I think I need some basic
answers.
Current environment:
Educational environment (college).
Windows 2000 Native Mode, Single domain, Single Forest
Windows 2000 DNS Server, non-DC
Every conceivable client OS from Win 9x to Linux.
Here's the issue. Our current DNS utilizes Dynamic Updates, and includes
both servers and clients. This is working OK, except when someone (in our
case usually a student) decides to name their computer the same name as a
server. An example: Someone names their machine HOME. There is a server
here named HOME. When the computer is added to the domain, DHCP provides
an IP address, then either DHCP or the computer (depends on OS) dynamically
updates the DNS record of HOME to point to the "new" HOME machine.
Obviously, we see this as an issue - basically students can "take over" the
name of a server. This has happened only a few times, and it was
inadvertent; we would like to make it technically difficult or even
impossible to do.
So...my question is, can I make my main DNS server a DC, then secure our
DNS in some way to only allow certain users or domain computers to
dynamically update the Host records? Also, how much granularity is there
to Secure DNS?
Anyone with insight...thanks for your responses.
-Tom Barber
Systems Manager
Alfred State College
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
